release-1.4.7 tag

Additionally, make sure to check for errors from ngx_http_parse_header_line()
call after joining saved parts.  There shouldn't be any errors, though
check may help to catch bugs like missing f->split_parts reset.

Reported by Lucas Molas.

docs/text/LICENSE

@@ -1,6 +1,6 @@
 /* 
- * Copyright (C) 2002-2013 Igor Sysoev
- * Copyright (C) 2011-2013 Nginx, Inc.
+ * Copyright (C) 2002-2014 Igor Sysoev
+ * Copyright (C) 2011-2014 Nginx, Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

docs/xml/nginx/changes.xml

@@ -5,6 +5,348 @@
 <change_log title="nginx">
 
 
+<changes ver="1.4.7" date="18.03.2014">
+
+<change type="security">
+<para lang="ru">
+при обработке специально созданного запроса модулем ngx_http_spdy_module
+могло происходить переполнение буфера в рабочем процессе,
+что потенциально могло приводить к выполнению произвольного кода
+(CVE-2014-0133).<br/>
+Спасибо Lucas Molas из Programa STIC, Fundación Dr. Manuel
+Sadosky, Buenos Aires, Argentina.
+</para>
+<para lang="en">
+a heap memory buffer overflow might occur in a worker process 
+while handling a specially crafted request by ngx_http_spdy_module,
+potentially resulting in arbitrary code execution
+(CVE-2014-0133).<br/>
+Thanks to Lucas Molas, researcher at Programa STIC, Fundación Dr. Manuel
+Sadosky, Buenos Aires, Argentina.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+в директиве fastcgi_next_upstream.<br/>
+Спасибо Lucas Molas.
+</para>
+<para lang="en">
+in the "fastcgi_next_upstream" directive.<br/>
+Thanks to Lucas Molas.
+</para>
+</change>
+
+</changes>
+
+
+<changes ver="1.4.6" date="04.03.2014">
+
+<change type="bugfix">
+<para lang="ru">
+директива client_max_body_size могла не работать
+при чтении тела запроса с использованием chunked transfer encoding;
+ошибка появилась в 1.3.9.<br/>
+Спасибо Lucas Molas.
+</para>
+<para lang="en">
+the "client_max_body_size" directive might not work
+when reading a request body using chunked transfer encoding;
+the bug had appeared in 1.3.9.<br/>
+Thanks to Lucas Molas.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+при проксировании WebSocket-соединений
+в рабочем процессе мог произойти segmentation fault.
+</para>
+<para lang="en">
+a segmentation fault might occur in a worker process
+when proxying WebSocket connections.
+</para>
+</change>
+
+</changes>
+
+
+<changes ver="1.4.5" date="11.02.2014">
+
+<change type="bugfix">
+<para lang="ru">
+переменная $ssl_session_id содержала всю сессию в сериализованном виде
+вместо её идентификатора.<br/>
+Спасибо Ivan Ristić.
+</para>
+<para lang="en">
+the $ssl_session_id variable contained full session serialized
+instead of just a session id.<br/>
+Thanks to Ivan Ristić.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+клиентские соединения могли сразу закрываться,
+если использовался отложенный accept;
+ошибка появилась в 1.3.15.
+</para>
+<para lang="en">
+client connections might be immediately closed
+if deferred accept was used;
+the bug had appeared in 1.3.15.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+при проксировании в логах могли появляться сообщения "zero size buf in output";
+ошибка появилась в 1.3.9.
+</para>
+<para lang="en">
+alerts "zero size buf in output" might appear in logs while proxying;
+the bug had appeared in 1.3.9.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+в рабочем процессе мог произойти segmentation fault,
+если использовался модуль ngx_http_spdy_module.
+</para>
+<para lang="en">
+a segmentation fault might occur in a worker process
+if the ngx_http_spdy_module was used.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+при использовании методов обработки соединений select, poll и /dev/poll
+проксируемые WebSocket-соединения могли зависать сразу после открытия.
+</para>
+<para lang="en">
+proxied WebSocket connections might hang right after handshake
+if the select, poll, or /dev/poll methods were used.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+при чтении тела запроса с использованием chunked transfer encoding
+по SSL-соединению мог произойти таймаут.
+</para>
+<para lang="en">
+a timeout might occur while reading client request body
+in an SSL connection using chunked transfer encoding.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+утечки памяти в nginx/Windows.
+</para>
+<para lang="en">
+memory leak in nginx/Windows.
+</para>
+</change>
+
+</changes>
+
+
+<changes ver="1.4.4" date="19.11.2013">
+
+<change type="security">
+<para lang="ru">
+символ, следующий за незакодированным пробелом в строке запроса,
+обрабатывался неправильно (CVE-2013-4547);
+ошибка появилась в 0.8.41.<br/>
+Спасибо Ivan Fratric из Google Security Team.
+</para>
+<para lang="en">
+a character following an unescaped space in a request line
+was handled incorrectly (CVE-2013-4547);
+the bug had appeared in 0.8.41.<br/>
+Thanks to Ivan Fratric of the Google Security Team.
+</para>
+</change>
+
+</changes>
+
+
+<changes ver="1.4.3" date="08.10.2013">
+
+<change type="bugfix">
+<para lang="ru">
+в рабочем процессе мог произойти segmentation fault,
+если использовался модуль ngx_http_spdy_module
+и директива client_body_in_file_only.
+</para>
+<para lang="en">
+a segmentation fault might occur in a worker process
+if the ngx_http_spdy_module was used
+with the "client_body_in_file_only" directive.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+на старте или во время переконфигурации мог произойти segmentation fault,
+если использовалась директива try_files с пустым параметром.
+</para>
+<para lang="en">
+a segmentation fault might occur on start or during reconfiguration
+if the "try_files" directive was used with an empty parameter.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+переменная $request_time не работала в nginx/Windows.
+</para>
+<para lang="en">
+the $request_time variable did not work in nginx/Windows.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+в модуле ngx_http_auth_basic_module
+при использовании метода шифрования паролей "$apr1$".<br/>
+Спасибо Markus Linnala.
+</para>
+<para lang="en">
+in the ngx_http_auth_basic_module
+when using "$apr1$" password encryption method.<br/>
+Thanks to Markus Linnala.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+в модуле ngx_http_autoindex_module.
+</para>
+<para lang="en">
+in the ngx_http_autoindex_module.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+в почтовом прокси-сервере.
+</para>
+<para lang="en">
+in the mail proxy server.
+</para>
+</change>
+
+</changes>
+
+
+<changes ver="1.4.2" date="17.07.2013">
+
+<change type="bugfix">
+<para lang="ru">
+метод $r->header_in() встроенного перла не возвращал значения строк
+"Cookie" и "X-Forwarded-For" из заголовка запроса;
+ошибка появилась в 1.3.14.
+</para>
+<para lang="en">
+the $r->header_in() embedded perl method did not return value of the
+"Cookie" and "X-Forwarded-For" request header lines;
+the bug had appeared in 1.3.14.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+nginx не собирался с модулем ngx_mail_ssl_module,
+но без модуля ngx_http_ssl_module;
+ошибка появилась в 1.3.14.
+</para>
+<para lang="en">
+nginx could not be built with the ngx_mail_ssl_module,
+but without ngx_http_ssl_module;
+the bug had appeared in 1.3.14.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+в директиве proxy_set_body.<br/>
+Спасибо Lanshun Zhou.
+</para>
+<para lang="en">
+in the "proxy_set_body" directive.<br/>
+Thanks to Lanshun Zhou.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+параметр fail_timeout директивы server
+в блоке upstream мог не работать,
+если использовался параметр max_fails;
+ошибка появилась в 1.3.0.
+</para>
+<para lang="en">
+the "fail_timeout" parameter of the "server" directive
+in the "upstream" context might not work
+if "max_fails" parameter was used;
+the bug had appeared in 1.3.0.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+в рабочем процессе мог произойти segmentation fault,
+если использовалась директива ssl_stapling.<br/>
+Спасибо Piotr Sikora.
+</para>
+<para lang="en">
+a segmentation fault might occur in a worker process
+if the "ssl_stapling" directive was used.<br/>
+Thanks to Piotr Sikora.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+nginx/Windows мог перестать принимать соединения,
+если использовалось несколько рабочих процессов.
+</para>
+<para lang="en">
+nginx/Windows might stop accepting connections
+if several worker processes were used.
+</para>
+</change>
+
+</changes>
+
+
+<changes ver="1.4.1" date="07.05.2013">
+
+<change type="security">
+<para lang="ru">
+при обработке специально созданного запроса
+мог перезаписываться стек рабочего процесса,
+что могло приводить к выполнению произвольного кода (CVE-2013-2028);
+ошибка появилась в 1.3.9.<br/>
+Спасибо Greg MacManus, iSIGHT Partners Labs.
+</para>
+<para lang="en">
+a stack-based buffer overflow might occur in a worker process
+while handling a specially crafted request,
+potentially resulting in arbitrary code execution (CVE-2013-2028);
+the bug had appeared in 1.3.9.<br/>
+Thanks to Greg MacManus, iSIGHT Partners Labs.
+</para>
+</change>
+
+</changes>
+
+
 <changes ver="1.4.0" date="24.04.2013">
 
 <change type="bugfix">

misc/GNUmakefile

@@ -3,11 +3,10 @@ VER =		$(shell grep 'define NGINX_VERSION' src/core/nginx.h	\
 			| sed -e 's/^.*"\(.*\)".*/\1/')
 NGINX =		nginx-$(VER)
 TEMP =		tmp
-REPO =		$(shell svn info | sed -n 's/^Repository Root: //p')
 
 OBJS =		objs.msvc8
-OPENSSL =	openssl-1.0.1e
-ZLIB =		zlib-1.2.7
+OPENSSL =	openssl-1.0.1f
+ZLIB =		zlib-1.2.8
 PCRE =		pcre-8.32
 
 
@@ -38,40 +37,14 @@ release: export
 
 export:
 	rm -rf $(TEMP)
-
-	if [ -d .svn ]; then						\
-		svn export -rHEAD . $(TEMP)/$(NGINX);			\
-	else								\
-		hg archive -X '.hg*' $(TEMP)/$(NGINX);			\
-	fi
+	hg archive -X '.hg*' $(TEMP)/$(NGINX)
 
 
 RELEASE:
-	if [ -d .svn ]; then						\
-		$(MAKE) -f misc/GNUmakefile RELEASE.svn;		\
-	else								\
-		$(MAKE) -f misc/GNUmakefile RELEASE.hg;			\
-	fi
-
-	$(MAKE) -f misc/GNUmakefile release
-
-
-RELEASE.hg:
 	hg ci -m nginx-$(VER)-RELEASE
 	hg tag -m "release-$(VER) tag" release-$(VER)
 
-	
-RELEASE.svn:
-	test -d $(TEMP) || mkdir -p $(TEMP)
-
-	echo "nginx-$(VER)-RELEASE" > $(TEMP)/message
-	svn ci -F $(TEMP)/message
-
-	echo "release-$(VER) tag" > $(TEMP)/message
-	svn copy $(REPO)/trunk $(REPO)/tags/release-$(VER)		\
-		-F $(TEMP)/message
-
-	svn up
+	$(MAKE) -f misc/GNUmakefile release
 
 
 win32:

misc/README

@@ -1,7 +1,4 @@
 
-GNUmakefile, in svn it is available since 0.4.0 only.
-
-
 make -f misc/GNUmakefile release
 
 the required tools:

src/core/nginx.h

@@ -9,8 +9,8 @@
 #define _NGINX_H_INCLUDED_
 
 
-#define nginx_version      1004000
-#define NGINX_VERSION      "1.4.0"
+#define nginx_version      1004007
+#define NGINX_VERSION      "1.4.7"
 #define NGINX_VER          "nginx/" NGINX_VERSION
 
 #define NGINX_VAR          "NGINX"

src/core/ngx_connection.c

@@ -647,7 +647,13 @@ ngx_configure_listening_sockets(ngx_cycle_t *cycle)
         if (ls[i].add_deferred || ls[i].delete_deferred) {
 
             if (ls[i].add_deferred) {
-                timeout = (int) (ls[i].post_accept_timeout / 1000);
+                /*
+                 * There is no way to find out how long a connection was
+                 * in queue (and a connection may bypass deferred queue at all
+                 * if syncookies were used), hence we use 1 second timeout
+                 * here.
+                 */
+                timeout = 1;
 
             } else {
                 timeout = 0;

src/core/ngx_crypt.c

@@ -137,7 +137,7 @@ ngx_crypt_apr1(ngx_pool_t *pool, u_char *key, u_char *salt, u_char **encrypted)
 
     /* output */
 
-    *encrypted = ngx_pnalloc(pool, sizeof("$apr1$") - 1 + saltlen + 16 + 1);
+    *encrypted = ngx_pnalloc(pool, sizeof("$apr1$") - 1 + saltlen + 1 + 22 + 1);
     if (*encrypted == NULL) {
         return NGX_ERROR;
     }

src/event/ngx_event.c

@@ -607,6 +607,17 @@ ngx_event_process_init(ngx_cycle_t *cycle)
         ngx_use_accept_mutex = 0;
     }
 
+#if (NGX_WIN32)
+
+    /*
+     * disable accept mutex on win32 as it may cause deadlock if
+     * grabbed by a process which can't accept connections
+     */
+
+    ngx_use_accept_mutex = 0;
+
+#endif
+
 #if (NGX_THREADS)
     ngx_posted_events_mutex = ngx_mutex_init(cycle->log, 0);
     if (ngx_posted_events_mutex == NULL) {

src/event/ngx_event_openssl.c

@@ -965,6 +965,7 @@ ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size)
             size -= n;
 
             if (size == 0) {
+                c->read->ready = 1;
                 return bytes;
             }
 
@@ -974,6 +975,10 @@ ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size)
         }
 
         if (bytes) {
+            if (c->ssl->last != NGX_AGAIN) {
+                c->read->ready = 1;
+            }
+
             return bytes;
         }
 
@@ -2224,32 +2229,26 @@ ngx_int_t
 ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 {
     int           len;
-    u_char       *p, *buf;
+    u_char       *buf;
     SSL_SESSION  *sess;
 
     sess = SSL_get0_session(c->ssl->connection);
-
-    len = i2d_SSL_SESSION(sess, NULL);
-
-    buf = ngx_alloc(len, c->log);
-    if (buf == NULL) {
-        return NGX_ERROR;
+    if (sess == NULL) {
+        s->len = 0;
+        return NGX_OK;
     }
 
+    buf = sess->session_id;
+    len = sess->session_id_length;
+
     s->len = 2 * len;
     s->data = ngx_pnalloc(pool, 2 * len);
     if (s->data == NULL) {
-        ngx_free(buf);
         return NGX_ERROR;
     }
 
-    p = buf;
-    i2d_SSL_SESSION(sess, &p);
-
     ngx_hex_dump(s->data, buf, len);
 
-    ngx_free(buf);
-
     return NGX_OK;
 }
 

src/event/ngx_event_openssl_stapling.c

@@ -611,15 +611,14 @@ ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx)
         != 1)
     {
         ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
-                      "certificate status not found in the OCSP response",
-                      n, OCSP_response_status_str(n));
+                      "certificate status not found in the OCSP response");
         goto error;
     }
 
     if (n != V_OCSP_CERTSTATUS_GOOD) {
         ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
                       "certificate status \"%s\" in the OCSP response",
-                      n, OCSP_cert_status_str(n));
+                      OCSP_cert_status_str(n));
         goto error;
     }
 

src/http/modules/ngx_http_autoindex_module.c

@@ -304,7 +304,7 @@ ngx_http_autoindex_handler(ngx_http_request_t *r)
             if (ngx_de_info(filename, &dir) == NGX_FILE_ERROR) {
                 err = ngx_errno;
 
-                if (err != NGX_ENOENT) {
+                if (err != NGX_ENOENT && err != NGX_ELOOP) {
                     ngx_log_error(NGX_LOG_CRIT, r->connection->log, err,
                                   ngx_de_info_n " \"%s\" failed", filename);
 
@@ -388,7 +388,7 @@ ngx_http_autoindex_handler(ngx_http_request_t *r)
 
     b = ngx_create_temp_buf(r->pool, len);
     if (b == NULL) {
-        return NGX_HTTP_INTERNAL_SERVER_ERROR;
+        return NGX_ERROR;
     }
 
     if (entries.nelts > 1) {
@@ -649,7 +649,7 @@ ngx_http_autoindex_error(ngx_http_request_t *r, ngx_dir_t *dir, ngx_str_t *name)
                       ngx_close_dir_n " \"%V\" failed", name);
     }
 
-    return NGX_HTTP_INTERNAL_SERVER_ERROR;
+    return r->header_sent ? NGX_ERROR : NGX_HTTP_INTERNAL_SERVER_ERROR;
 }
 
 

src/http/modules/ngx_http_fastcgi_module.c

@@ -1195,6 +1195,10 @@ ngx_http_fastcgi_reinit_request(ngx_http_request_t *r)
     f->fastcgi_stdout = 0;
     f->large_stderr = 0;
 
+    if (f->split_parts) {
+        f->split_parts->nelts = 0;
+    }
+
     r->state = 0;
 
     return NGX_OK;
@@ -1475,6 +1479,13 @@ ngx_http_fastcgi_process_header(ngx_http_request_t *r)
 
                     rc = ngx_http_parse_header_line(r, &buf, 1);
 
+                    if (rc != NGX_OK) {
+                        ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0,
+                                      "invalid header after joining "
+                                      "FastCGI records");
+                        return NGX_ERROR;
+                    }
+
                     h->key.len = r->header_name_end - r->header_name_start;
                     h->key.data = r->header_name_start;
                     h->key.data[h->key.len] = '\0';

src/http/modules/ngx_http_log_module.c

@@ -780,7 +780,7 @@ ngx_http_log_request_time(ngx_http_request_t *r, u_char *buf,
              ((tp->sec - r->start_sec) * 1000 + (tp->msec - r->start_msec));
     ms = ngx_max(ms, 0);
 
-    return ngx_sprintf(buf, "%T.%03M", ms / 1000, ms % 1000);
+    return ngx_sprintf(buf, "%T.%03M", (time_t) ms / 1000, ms % 1000);
 }
 
 

src/http/modules/ngx_http_proxy_module.c

@@ -615,7 +615,8 @@ static ngx_http_variable_t  ngx_http_proxy_vars[] = {
 #endif
 
     { ngx_string("proxy_internal_body_length"), NULL,
-      ngx_http_proxy_internal_body_length_variable, 0, NGX_HTTP_VAR_NOHASH, 0 },
+      ngx_http_proxy_internal_body_length_variable, 0,
+      NGX_HTTP_VAR_NOCACHEABLE|NGX_HTTP_VAR_NOHASH, 0 },
 
     { ngx_null_string, NULL, NULL, 0, 0, 0 }
 };

src/http/modules/ngx_http_upstream_least_conn_module.c

@@ -282,7 +282,10 @@ ngx_http_upstream_get_least_conn_peer(ngx_peer_connection_t *pc, void *data)
     }
 
     best->current_weight -= total;
-    best->checked = now;
+
+    if (now - best->checked > best->fail_timeout) {
+        best->checked = now;
+    }
 
     pc->sockaddr = best->sockaddr;
     pc->socklen = best->socklen;

src/http/modules/perl/nginx.xs

@@ -222,10 +222,11 @@ header_in(r, key)
     dXSTARG;
     ngx_http_request_t         *r;
     SV                         *key;
-    u_char                     *p, *lowcase_key, *cookie;
+    u_char                     *p, *lowcase_key, *value, sep;
     STRLEN                      len;
     ssize_t                     size;
     ngx_uint_t                  i, n, hash;
+    ngx_array_t                *a;
     ngx_list_part_t            *part;
     ngx_table_elt_t            *h, **ph;
     ngx_http_header_t          *hh;
@@ -255,6 +256,19 @@ header_in(r, key)
     hh = ngx_hash_find(&cmcf->headers_in_hash, hash, lowcase_key, len);
 
     if (hh) {
+
+        if (hh->offset == offsetof(ngx_http_headers_in_t, cookies)) {
+            sep = ';';
+            goto multi;
+        }
+
+    #if (NGX_HTTP_X_FORWARDED_FOR)
+        if (hh->offset == offsetof(ngx_http_headers_in_t, x_forwarded_for)) {
+            sep = ',';
+            goto multi;
+        }
+    #endif
+
         if (hh->offset) {
 
             ph = (ngx_table_elt_t **) ((char *) &r->headers_in + hh->offset);
@@ -268,15 +282,19 @@ header_in(r, key)
             XSRETURN_UNDEF;
         }
 
-        /* Cookie */
+    multi:
 
-        n = r->headers_in.cookies.nelts;
+        /* Cookie, X-Forwarded-For */
+
+        a = (ngx_array_t *) ((char *) &r->headers_in + hh->offset);
+
+        n = a->nelts;
 
         if (n == 0) {
             XSRETURN_UNDEF;
         }
 
-        ph = r->headers_in.cookies.elts;
+        ph = a->elts;
 
         if (n == 1) {
             ngx_http_perl_set_targ((*ph)->value.data, (*ph)->value.len);
@@ -290,12 +308,12 @@ header_in(r, key)
             size += ph[i]->value.len + sizeof("; ") - 1;
         }
 
-        cookie = ngx_pnalloc(r->pool, size);
-        if (cookie == NULL) {
+        value = ngx_pnalloc(r->pool, size);
+        if (value == NULL) {
             XSRETURN_UNDEF;
         }
 
-        p = cookie;
+        p = value;
 
         for (i = 0; /* void */ ; i++) {
             p = ngx_copy(p, ph[i]->value.data, ph[i]->value.len);
@@ -304,10 +322,10 @@ header_in(r, key)
                 break;
             }
 
-            *p++ = ';'; *p++ = ' ';
+            *p++ = sep; *p++ = ' ';
         }
 
-        ngx_http_perl_set_targ(cookie, size);
+        ngx_http_perl_set_targ(value, size);
 
         goto done;
     }
@@ -419,7 +437,7 @@ request_body(r)
 
     p = ngx_pnalloc(r->pool, len);
     if (p == NULL) {
-        return XSRETURN_UNDEF;
+        XSRETURN_UNDEF;
     }
 
     data = p;

src/http/ngx_http.h

@@ -89,7 +89,7 @@ ngx_int_t ngx_http_add_listen(ngx_conf_t *cf, ngx_http_core_srv_conf_t *cscf,
 void ngx_http_init_connection(ngx_connection_t *c);
 void ngx_http_close_connection(ngx_connection_t *c);
 
-#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+#if (NGX_HTTP_SSL && defined SSL_CTRL_SET_TLSEXT_HOSTNAME)
 int ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg);
 #endif
 

src/http/ngx_http_core_module.c

@@ -4758,7 +4758,9 @@ ngx_http_core_try_files(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
 
         tf[i].name = value[i + 1];
 
-        if (tf[i].name.data[tf[i].name.len - 1] == '/') {
+        if (tf[i].name.len > 0
+            && tf[i].name.data[tf[i].name.len - 1] == '/')
+        {
             tf[i].test_dir = 1;
             tf[i].name.len--;
             tf[i].name.data[tf[i].name.len] = '\0';

src/http/ngx_http_parse.c

@@ -614,6 +614,7 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
             default:
                 r->space_in_uri = 1;
                 state = sw_check_uri;
+                p--;
                 break;
             }
             break;
@@ -667,6 +668,7 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
             default:
                 r->space_in_uri = 1;
                 state = sw_uri;
+                p--;
                 break;
             }
             break;
@@ -2209,6 +2211,10 @@ data:
 
     }
 
+    if (ctx->size < 0 || ctx->length < 0) {
+        goto invalid;
+    }
+
     return rc;
 
 done:

src/http/ngx_http_request.c

@@ -423,20 +423,6 @@ ngx_http_wait_request_handler(ngx_event_t *rev)
 
     if (n == NGX_AGAIN) {
 
-#if (NGX_HAVE_DEFERRED_ACCEPT && defined TCP_DEFER_ACCEPT)
-        if (c->listening->deferred_accept
-#if (NGX_HTTP_SSL)
-            && c->ssl == NULL
-#endif
-            )
-        {
-            ngx_log_error(NGX_LOG_INFO, c->log, NGX_ETIMEDOUT,
-                          "client timed out in deferred accept");
-            ngx_http_close_connection(c);
-            return;
-        }
-#endif
-
         if (!rev->timer_set) {
             ngx_add_timer(rev, c->listening->post_accept_timeout);
             ngx_reusable_connection(c, 1);
@@ -635,15 +621,6 @@ ngx_http_ssl_handshake(ngx_event_t *rev)
     if (n == -1) {
         if (err == NGX_EAGAIN) {
 
-#if (NGX_HAVE_DEFERRED_ACCEPT && defined TCP_DEFER_ACCEPT)
-            if (c->listening->deferred_accept) {
-                ngx_log_error(NGX_LOG_INFO, c->log, NGX_ETIMEDOUT,
-                              "client timed out in deferred accept");
-                ngx_http_close_connection(c);
-                return;
-            }
-#endif
-
             if (!rev->timer_set) {
                 ngx_add_timer(rev, c->listening->post_accept_timeout);
                 ngx_reusable_connection(c, 1);
@@ -1955,7 +1932,7 @@ ngx_http_set_virtual_server(ngx_http_request_t *r, ngx_str_t *host)
 
     hc = r->http_connection;
 
-#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+#if (NGX_HTTP_SSL && defined SSL_CTRL_SET_TLSEXT_HOSTNAME)
 
     if (hc->ssl_servername) {
         if (hc->ssl_servername->len == host->len
@@ -1986,7 +1963,7 @@ ngx_http_set_virtual_server(ngx_http_request_t *r, ngx_str_t *host)
         return NGX_ERROR;
     }
 
-#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+#if (NGX_HTTP_SSL && defined SSL_CTRL_SET_TLSEXT_HOSTNAME)
 
     if (hc->ssl_servername) {
         ngx_http_ssl_srv_conf_t  *sscf;
@@ -2053,7 +2030,7 @@ ngx_http_find_virtual_server(ngx_connection_t *c,
 
         sn = virtual_names->regex;
 
-#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+#if (NGX_HTTP_SSL && defined SSL_CTRL_SET_TLSEXT_HOSTNAME)
 
         if (r == NULL) {
             ngx_http_connection_t  *hc;
@@ -2085,7 +2062,7 @@ ngx_http_find_virtual_server(ngx_connection_t *c,
             return NGX_DECLINED;
         }
 
-#endif /* SSL_CTRL_SET_TLSEXT_HOSTNAME */
+#endif /* NGX_HTTP_SSL && defined SSL_CTRL_SET_TLSEXT_HOSTNAME */
 
         for (i = 0; i < virtual_names->nregex; i++) {
 

src/http/ngx_http_request.h

@@ -295,7 +295,7 @@ typedef struct {
     ngx_http_addr_conf_t             *addr_conf;
     ngx_http_conf_ctx_t              *conf_ctx;
 
-#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+#if (NGX_HTTP_SSL && defined SSL_CTRL_SET_TLSEXT_HOSTNAME)
     ngx_str_t                        *ssl_servername;
 #if (NGX_PCRE)
     ngx_http_regex_t                 *ssl_servername_regex;

src/http/ngx_http_request_body.c

@@ -150,20 +150,27 @@ ngx_http_read_client_request_body(ngx_http_request_t *r,
                 goto done;
             }
 
-            cl = ngx_chain_get_free_buf(r->pool, &rb->free);
-            if (cl == NULL) {
-                return NGX_HTTP_INTERNAL_SERVER_ERROR;
+            if (rb->temp_file->file.offset != 0) {
+
+                cl = ngx_chain_get_free_buf(r->pool, &rb->free);
+                if (cl == NULL) {
+                    rc = NGX_HTTP_INTERNAL_SERVER_ERROR;
+                    goto done;
+                }
+
+                b = cl->buf;
+
+                ngx_memzero(b, sizeof(ngx_buf_t));
+
+                b->in_file = 1;
+                b->file_last = rb->temp_file->file.offset;
+                b->file = &rb->temp_file->file;
+
+                rb->bufs = cl;
+
+            } else {
+                rb->bufs = NULL;
             }
-
-            b = cl->buf;
-
-            ngx_memzero(b, sizeof(ngx_buf_t));
-
-            b->in_file = 1;
-            b->file_last = rb->temp_file->file.offset;
-            b->file = &rb->temp_file->file;
-
-            rb->bufs = cl;
         }
 
         post_handler(r);
@@ -374,20 +381,26 @@ ngx_http_do_read_client_request_body(ngx_http_request_t *r)
             return NGX_HTTP_INTERNAL_SERVER_ERROR;
         }
 
-        cl = ngx_chain_get_free_buf(r->pool, &rb->free);
-        if (cl == NULL) {
-            return NGX_HTTP_INTERNAL_SERVER_ERROR;
+        if (rb->temp_file->file.offset != 0) {
+
+            cl = ngx_chain_get_free_buf(r->pool, &rb->free);
+            if (cl == NULL) {
+                return NGX_HTTP_INTERNAL_SERVER_ERROR;
+            }
+
+            b = cl->buf;
+
+            ngx_memzero(b, sizeof(ngx_buf_t));
+
+            b->in_file = 1;
+            b->file_last = rb->temp_file->file.offset;
+            b->file = &rb->temp_file->file;
+
+            rb->bufs = cl;
+
+        } else {
+            rb->bufs = NULL;
         }
-
-        b = cl->buf;
-
-        ngx_memzero(b, sizeof(ngx_buf_t));
-
-        b->in_file = 1;
-        b->file_last = rb->temp_file->file.offset;
-        b->file = &rb->temp_file->file;
-
-        rb->bufs = cl;
     }
 
     r->read_event_handler = ngx_http_block_reading;
@@ -842,6 +855,10 @@ ngx_http_request_body_length_filter(ngx_http_request_t *r, ngx_chain_t *in)
 
     for (cl = in; cl; cl = cl->next) {
 
+        if (rb->rest == 0) {
+            break;
+        }
+
         tl = ngx_chain_get_free_buf(r->pool, &rb->free);
         if (tl == NULL) {
             return NGX_HTTP_INTERNAL_SERVER_ERROR;
@@ -936,13 +953,13 @@ ngx_http_request_body_chunked_filter(ngx_http_request_t *r, ngx_chain_t *in)
 
                 if (clcf->client_max_body_size
                     && clcf->client_max_body_size
-                       < r->headers_in.content_length_n + rb->chunked->size)
+                       - r->headers_in.content_length_n < rb->chunked->size)
                 {
                     ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
                                   "client intended to send too large chunked "
-                                  "body: %O bytes",
-                                  r->headers_in.content_length_n
-                                  + rb->chunked->size);
+                                  "body: %O+%O bytes",
+                                  r->headers_in.content_length_n,
+                                  rb->chunked->size);
 
                     r->lingering_close = 1;
 

src/http/ngx_http_spdy.c

@@ -1465,7 +1465,7 @@ static u_char *
 ngx_http_spdy_state_save(ngx_http_spdy_connection_t *sc,
     u_char *pos, u_char *end, ngx_http_spdy_handler_pt handler)
 {
-#if (NGX_DEBUG)
+#if 1
     if (end - pos > NGX_SPDY_STATE_BUFFER_SIZE) {
         ngx_log_error(NGX_LOG_ALERT, sc->connection->log, 0,
                       "spdy state buffer overflow: "
@@ -2529,13 +2529,6 @@ ngx_http_spdy_init_request_body(ngx_http_request_t *r)
             return NGX_ERROR;
         }
 
-        if (rb->rest == 0) {
-            buf->in_file = 1;
-            buf->file = &tf->file;
-        } else {
-            rb->buf = buf;
-        }
-
     } else {
 
         if (rb->rest == 0) {
@@ -2546,10 +2539,10 @@ ngx_http_spdy_init_request_body(ngx_http_request_t *r)
         if (buf == NULL) {
             return NGX_ERROR;
         }
-
-        rb->buf = buf;
     }
 
+    rb->buf = buf;
+
     rb->bufs = ngx_alloc_chain_link(r->pool);
     if (rb->bufs == NULL) {
         return NGX_ERROR;
@@ -2633,6 +2626,10 @@ ngx_http_spdy_close_stream(ngx_http_spdy_stream_t *stream, ngx_int_t rc)
         }
     }
 
+    if (sc->stream == stream) {
+        sc->stream = NULL;
+    }
+
     sscf = ngx_http_get_module_srv_conf(sc->http_connection->conf_ctx,
                                         ngx_http_spdy_module);
 

src/http/ngx_http_upstream.c

@@ -2456,14 +2456,12 @@ ngx_http_upstream_upgrade(ngx_http_request_t *r, ngx_http_upstream_t *u)
     if (u->peer.connection->read->ready
         || u->buffer.pos != u->buffer.last)
     {
+        ngx_post_event(c->read, &ngx_posted_events);
         ngx_http_upstream_process_upgraded(r, 1, 1);
+        return;
     }
 
-    if (c->read->ready
-        || r->header_in->pos != r->header_in->last)
-    {
-        ngx_http_upstream_process_upgraded(r, 0, 1);
-    }
+    ngx_http_upstream_process_upgraded(r, 0, 1);
 }
 
 

src/http/ngx_http_upstream_round_robin.c

@@ -523,7 +523,10 @@ ngx_http_upstream_get_peer(ngx_http_upstream_rr_peer_data_t *rrp)
     rrp->tried[n] |= m;
 
     best->current_weight -= total;
-    best->checked = now;
+
+    if (now - best->checked > best->fail_timeout) {
+        best->checked = now;
+    }
 
     return best;
 }

src/http/ngx_http_variables.c

@@ -1988,7 +1988,7 @@ ngx_http_variable_request_time(ngx_http_request_t *r,
              ((tp->sec - r->start_sec) * 1000 + (tp->msec - r->start_msec));
     ms = ngx_max(ms, 0);
 
-    v->len = ngx_sprintf(p, "%T.%03M", ms / 1000, ms % 1000) - p;
+    v->len = ngx_sprintf(p, "%T.%03M", (time_t) ms / 1000, ms % 1000) - p;
     v->valid = 1;
     v->no_cacheable = 0;
     v->not_found = 0;

src/mail/ngx_mail_smtp_module.c

@@ -277,7 +277,6 @@ ngx_mail_smtp_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
     p = ngx_cpymem(p, conf->capability.data, conf->capability.len);
 
     p = ngx_cpymem(p, "250 STARTTLS" CRLF, sizeof("250 STARTTLS" CRLF) - 1);
-    *p++ = CR; *p = LF;
 
     p = conf->starttls_capability.data
         + (last - conf->capability.data) + 3;

src/mail/ngx_mail_ssl_module.c

@@ -235,6 +235,11 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
        mode = "";
     }
 
+    if (conf->file == NULL) {
+        conf->file = prev->file;
+        conf->line = prev->line;
+    }
+
     if (*mode) {
 
         if (conf->certificate.len == 0) {

src/os/unix/ngx_errno.h

@@ -49,10 +49,10 @@ typedef int               ngx_err_t;
 #define NGX_ECANCELED     ECANCELED
 #define NGX_EILSEQ        EILSEQ
 #define NGX_ENOMOREFILES  0
+#define NGX_ELOOP         ELOOP
 
 #if (NGX_HAVE_OPENAT)
 #define NGX_EMLINK        EMLINK
-#define NGX_ELOOP         ELOOP
 #endif
 
 #if (__hpux__)

src/os/win32/ngx_errno.h

@@ -51,6 +51,7 @@ typedef DWORD                      ngx_err_t;
 #define NGX_EHOSTUNREACH           WSAEHOSTUNREACH
 #define NGX_ENOMOREFILES           ERROR_NO_MORE_FILES
 #define NGX_EILSEQ                 ERROR_NO_UNICODE_TRANSLATION
+#define NGX_ELOOP                  0
 
 #define NGX_EALREADY               WSAEALREADY
 #define NGX_EINVAL                 WSAEINVAL

src/os/win32/ngx_files.c

@@ -753,6 +753,8 @@ ngx_win32_check_filename(u_char *name, u_short *u, size_t len)
         goto invalid;
     }
 
+    ngx_free(lu);
+
     return NGX_OK;
 
 invalid: